(ISC)2® (“ISC-squared”), the world’s largest not-for-profit information security professional body and administrators of the CISSP®, today released the results of its sixth Global Information Security Workforce Study (GISWS) in partnership with Booz Allen Hamilton, conducted by Frost & Sullivan. The study of more than 12,000 information security professionals worldwide reveals that the global shortage of information security professionals is having a profound impact on the economy and is driven by a combination of business conditions, executives not fully understanding the need for security, and an inability to locate enough qualified information security professionals.

The report finds that hactivism (43 percent), cyber-terrorism (44 percent), and hacking (56 percent) are among the top concerns identified by respondents, yet more than half – 56 percent – feel their security organizations are short-staffed. Many organizations (15 percent) are not able to put a timeframe on their ability to recover from an attack, even though service downtime is one of the highest priorities for nearly three-quarters of respondents. The data concludes that the major shortage of skilled cyber security professionals is negatively impacting organizations and their customers, leading to more frequent and costly data breaches.

“Now, more than ever before, we’re seeing an economic ripple effect occurring across the globe as a result of the dire shortage of qualified information security professionals we’ve been experiencing in recent years,” said W. Hord Tipton, CISSP-ISSEP, CAP, CISA, executive director of (ISC)². “Underscored by the study findings, this shortage is causing a huge drag on organizations. More and more enterprises are being breached, businesses are not able to get things done, and customer data is being compromised. Given the severity of cyber espionage, hactivism, and nation-state threats, the time is now for the public and private sectors to join forces and close this critical gap. We must focus on building a skilled and qualified security workforce that is equipped to handle today’s and tomorrow’s most sophisticated cyber threats.”

The GISWS finds that there is also a major shortage of software development professionals trained in security and that application security vulnerabilities still rank highest among security concerns – a trend identified in the 2011 GISWS. Threats from malware and mobile devices are also at the top of the list, and cloud security, Bring Your Own Device (BYOD), and social networking are all reported as major concerns in terms of newer security threats on the horizon.

Some of the other key findings from the study include:

Information security is a stable and growing profession, and careers in security are fruitful – Information security professionals are enjoying stable employment. Over 80 percent of respondents reported no change in employer or employment in the last year, and 58 percent reported receiving a raise in the last year. The number of professionals is projected to grow steady globally by more than 11 percent annually over the next five years. The global average annual salary for (ISC)²-certified professionals is US$101,014, which is 33 percent higher than professionals not holding an (ISC)² certification earn.

New skills, deepening knowledge, and a wider range of technologies are needed – A multi-disciplinary approach is required to address the risks in BYOD and cloud computing. 78 percent of respondents said BYOD technology is a significant security risk, and 74 percent reported that new security skills are required to meet the BYOD challenge. 68 percent reported social media is a security concern, with content filtering being the chief security measure used.

Application vulnerabilities rank the highest among security concerns, yet most organizations are not prioritizing secure software development – Almost half of security organizations are not involved in software development, and security is not among the most important factors when considering an outsourcing provider for software development, yet 69 percent reported application vulnerabilities as their top concern.

Top security priorities vary among verticals, logically – 63 percent of banking, insurance, and finance respondents selected damage to the organizations’ reputation as a top priority. In healthcare, 59 percent chose customer privacy violations as top priority. 57 percent of construction respondents chose health and safety as a top priority, and 50 percent of telecom and media respondents chose service downtime as their top priority.

While attack remediation is anticipated to be rapid, security incident preparedness is exhibiting signs of strain – 28 percent of respondents believe their organizations can remediate from a targeted attack within a day, and 41 percent said that they could remediate the damage within one week or less. A good portion of the respondents said they don’t know how long damage remediation may take. With regard to being prepared for a security incident, twice the percentage of respondents in the 2013 survey believe their readiness has worsened in the past year, as did respondents in the 2011 survey.

Knowledge and certification of knowledge weigh heavily in job placement and advancement – Nearly 70 percent view certification as a reliable indicator of competency when hiring. Almost half of hiring companies – 46 percent – require certification. 60 percent of those surveyed plan to acquire certifications in the next 12 months, and the CISSP is still the top certification in demand.

“Security is an organization-wide responsibility, with information security professionals serving as the beacon of knowledge and security stewardship,” states Michael Suby, Stratecast VP of Research at Frost & Sullivan and author of the report. “Information security professionals are constantly on the front lines, having to adapt to an ever-changing threat and IT landscape. They are also in a strategic position to educate business leaders as to why and how security is critical to all areas of the business. As the GISWS reveals, the need for more skilled and qualified security professionals to deal with the onslaught of sophisticated cyber attacks organizations are facing on a daily basis is real and acute. If we continue to let this skills gap grow, the economy will undoubtedly suffer.”

“Booz Allen recognizes the need for highly skilled professionals to meet demands of the growing digital enterprise. It takes a combination of people, process and technology to combat the evolving threat landscape, while at the same time, embrace the opportunities that come with cloud computing, social media and BYOD,” commented William Stewart, senior vice president at Booz Allen Hamilton. “This study reinforces the incredible need for a strong cyber workforce, particularly since security professionals increasingly have a seat at the board table, influencing decisions that impact business operations.”

Likely the largest study of the information security profession ever conducted, the 2013 GISWS was conducted in the fall of 2012 through a Web-based survey. Since its first release in 2004, the study gauges the opinions of information security professionals and provides detailed insight into important trends and opportunities within the information security profession. It aims to provide a clear understanding of pay scales, skills gaps, training requirements, corporate hiring practices, security budgets, career progression, and corporate attitude toward information security that is of use to companies, hiring managers, and information security professionals. The full study can be found here: https://www.isc2cares.org/IndustryResearch/GISWS/.

There will be a speaking session on “The Threat Horizon: The 2013 Global Information Security Workforce Study” taking place at RSA Conference 2013 on Monday, February 25th from 12:30-1:30 p.m. PST in Room 302 of the Moscone Center. The panel will be moderated by Julie Peeler, (ISC)² Foundation director. Panelists include Hord Tipton, (ISC)² executive director; Michael Suby, GISWS author and co-program manager of Frost & Sullivan's Communications Service Strategies & Opportunities (CSSO) Analysis Service; Bruce Murphy, partner with Deloitte; and Gay Beach, senior associate with Booz Allen Hamilton. More information on this session can be found here: https://ae.rsaconference.com/US13/connect/sessionDetail.ww?SESSION_ID=2617&tclass=popup

A second session addressing strategies for building the workforce titled “It Takes a Village: Corporate Social Responsibility Programs for the Next Generation of InfoSec Workers” will take place on Friday, March 1st from 9:00-10:00 a.m. PST in Room 123 of the Moscone Center. Moderated by Julie Peeler, (ISC)² Foundation director, panelists will include Elise Yacobellis, director of global business development for (ISC)²; James Connelly, deputy CISO and director of security operations & intelligence for Lockheed Martin; and William Stewart, senior vice president for Booz Allen Hamilton.

Additional data specific to vertical-markets will be made available later this year. U.S. federal government data will be released at (ISC)²’s CyberSecGov event, part of (ISC)²’s Security Leadership Series, to be held May 7 and 8, 2013 in Arlington, Virginia.

About Booz Allen Hamilton
Booz Allen Hamilton is a leading provider of management and technology consulting services to the U.S. government in defense, intelligence, and civil markets, and to major corporations, institutions, and not-for-profit organizations. Booz Allen is headquartered in McLean, Virginia, employs approximately 25,000 people, and had revenue of $5.86 billion for the 12 months ended March 31, 2012.

About Frost & Sullivan
Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary innovation that addresses the global challenges and related growth opportunities that will make or break today’s market participants. For more than 50 years, we have been developing growth strategies for the Global 1000, emerging businesses, the public sector and the investment community. Is your organization prepared for the next profound wave of industry convergence, disruptive technologies, increasing competitive intensity, Mega Trends, breakthrough best practices, changing customer dynamics and merging economies.